Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
2
Replies

Having troubles with NIMDA Traffic

alvinslocombe
Level 1
Level 1

‎11-04-2001 02:10 AM - edited ‎03-08-2019 09:03 PM

We are having NIMDA Problems liek crazy. We did the class map like instructed to block out the traffic, but it is still getting to our servers. We are running a cisco 2610 router with two Serails and one ethernet. Both serails have a T1 each coming in on them, and the Ethernet sends those T1s out to our ethernet switch. Config in question is below:

The class map we created:

class-map match-any http-hacks

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*.ida*"

match protocol http url "*readme.eml*"

The Policy map we created:

policy-map drop-hack

class http-hacks

police 1000000 31250 31250 conform-action drop exceed-action drop violate-a

ction drop

This is our Ethernet that goes out to our Switch. Shoudl it have the service policy on it as well? Not clear on this:

interface Ethernet0/0

The first T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:

interface Serial0/0

ip access-group 6 in

service-policy input drop-hack

The second T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:

interface Serial0/1

ip access-group 6 in

service-policy input drop-hack

Thank You

Alvin Slocombe

Labels:
0 Helpful
2 Replies 2

mmellet
Level 3
Level 3

‎11-12-2001 06:58 AM

This URL is useful: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm

0 Helpful

dmorone
Level 1
Level 1
In response to mmellet

‎11-13-2001 07:30 AM

Is there any way to aggregate NIMDA into one alarm? Getting too many alarm emails. Only idea I had is to reduce severity on 5 of the six alarms I get, but I don't like that.

re:

NIDS operators will not see an alarm that identifies Nimda by name. They will see a series of these alarms as Nimda tries different exploits to compromise the target. These alarms will identify the source address of hosts that have been compromised and should be isolated from the network, cleaned, and patched.

0 Helpful
Customers Also Viewed These Support Documents